Microsoft published information about a new security vulnerability that affects Windows Defender, Microsoft Security Essentials, and several Enterprise-specific anti-malware solutions.

CVE-2018-0986, Microsoft Malware Protection Engine Remote Code Execution Vulnerability, describes a vulnerability in the Microsoft Malware Protection Engine that attackers could exploit to execute code on the system.

What makes the vulnerability particularly problematic is that it can be triggered by Microsoft security software scanning a specially crafted file. In other words, the attack works without user interaction provided that the file finds its way on to the target system (for instance via a download).

Img

Microsoft lists several scenarios that attackers could exploit. Attackers could use websites to deliver specially crafted files to users, attach them to emails or messaging programs. One of the easiest options that attackers have at their disposal is to attack user systems through specially crafted JavaScript files loaded when a user opens a site in a web browser.

Microsoft anti-malware products are configured to scan files automatically by default. The file the attack is carried out with would be scanned immediately on systems with real-time protection enabled.

Microsoft released an update for all affected products that corrects the security issue. Windows systems with the engine version 1.1.14700.5 or later are protected from the vulnerability.

You can verify the version on consumer versions of Windows in the following way (thanks Woody)

• Windows 10: Use Windows-I to open the Settings application and go to Update & Security > Windows Defender.
• Windows 8.1: Tap on the Windows-key to open the Start Menu. Type Windows Defender and select the result. Select Help > About in the program window.
• Windows 7: Open the Start Menu with a click. Type Windows Defender and load the result. Select Help > About.

While it is possible to update definitions manually, updates to Windows Defender's malware engine come through Windows Update. You may want to run a manual check for updates if the reported malware engine is lower than the version the patch was introduced in.

1. Tap on the Windows-key, type Windows Update, and select the result.
2. Click on check for updates and follow the instructions.

An article on Bleeping Computer offers more information about the vulnerability. According to information posted on the site, it was a Google security researcher who discovered the flaw in mpengine.dll. Microsoft rates the bug as critical, the highest severity level as successful exploitation of the vulnerability may grant an attacker full control over the system.

Systems with third-party security software and a disabled Windows Defender or other affected Microsoft security product are not affected by the vulnerability. It is still recommended to update the malware engine as soon as possible to the latest version.